svn commit: r208660 - in projects/capabilities8: contrib/tcpdump
usr.sbin/tcpdump/tcpdump
Robert Watson
rwatson at FreeBSD.org
Sun May 30 22:14:53 UTC 2010
Author: rwatson
Date: Sun May 30 22:14:52 2010
New Revision: 208660
URL: http://svn.freebsd.org/changeset/base/208660
Log:
Merge c174240, c174244 from the p4 TrustedBSD Capabilities branch to
capabilities8:
Further constrain sandboxed tcpdump: don't allow excessive access to
stdin, stdout, and stderr.
Fix copy-and-paste mistake in error message.
Submitted by: antoine
Sponsored by: Google, Inc.
Modified:
projects/capabilities8/contrib/tcpdump/tcpdump.c
projects/capabilities8/usr.sbin/tcpdump/tcpdump/Makefile
Modified: projects/capabilities8/contrib/tcpdump/tcpdump.c
==============================================================================
--- projects/capabilities8/contrib/tcpdump/tcpdump.c Sun May 30 20:31:12 2010 (r208659)
+++ projects/capabilities8/contrib/tcpdump/tcpdump.c Sun May 30 22:14:52 2010 (r208660)
@@ -77,6 +77,7 @@ extern int SIZE_BUF;
#endif /* WIN32 */
#include <sys/capability.h>
+#include <libcapsicum.h>
#include "netdissect.h"
#include "interface.h"
@@ -1198,6 +1199,12 @@ main(int argc, char **argv)
(void)fflush(stderr);
}
#endif /* WIN32 */
+ if (lc_limitfd(STDIN_FILENO, CAP_FSTAT) < 0)
+ error("lc_limitfd: unable to limit STDIN_FILENO");
+ if (lc_limitfd(STDOUT_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0)
+ error("lc_limitfd: unable to limit STDIN_FILENO");
+ if (lc_limitfd(STDERR_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE) < 0)
+ error("lc_limitfd: unable to limit STDERR_FILENO");
if (cap_enter() < 0)
error("cap_enter: %s", pcap_strerror(errno));
status = pcap_loop(pd, cnt, callback, pcap_userdata);
Modified: projects/capabilities8/usr.sbin/tcpdump/tcpdump/Makefile
==============================================================================
--- projects/capabilities8/usr.sbin/tcpdump/tcpdump/Makefile Sun May 30 20:31:12 2010 (r208659)
+++ projects/capabilities8/usr.sbin/tcpdump/tcpdump/Makefile Sun May 30 22:14:52 2010 (r208660)
@@ -50,8 +50,8 @@ CFLAGS+= -DINET6
CFLAGS+= -DLBL_ALIGN
.endif
-DPADD= ${LIBL} ${LIBPCAP}
-LDADD= -ll -lpcap
+DPADD= ${LIBL} ${LIBPCAP} ${LIBCAPSICUM}
+LDADD= -ll -lpcap -lcapsicum
.if ${MK_OPENSSL} != "no" && !defined(RELEASE_CRUNCH)
DPADD+= ${LIBCRYPTO}
LDADD+= -lcrypto
More information about the svn-src-projects
mailing list